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The use of linearly independent signal states in realistic im- 
plementations of quantum key distribution (qkd) enables an 
eavesdropper to perform unambiguous state discrimination. 
We explore quantitatively the limits for secure QKD imposed 
by this fact taking into account that the receiver can monitor 
to some extend the photon number statistics of the signals 
even with todays standard detection schemes. We compare 
our attack to the beamsplitting attack and show that secu- 
rity against beamsplitting attack does not necessarily imply 
security against the attack considered here. 
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I. INTRODUCTION 

Quantum key distribution (qkd) is a technique to pro- 
vide two parties with a secure, secret and shared key. 
Such a key is the necessary ingredient to the only provably 
secure way to communicate with guaranteed privacy, the 
one-time pad or Vernam cipher ffl. The first complete 
protocol was given by Bennett and Brassard M (BB84) 
following first ideas by Wiesner |g[. It uses the fact 
that any channel which transmits two non-orthogonal 
states perfectly, automatically makes eavesdropping on 
this channel detectable. 

We consider the BB84 protocol in a typical quantum 
optical implementation. Ideally, Alice sends a sequence 
of single photons which are at random polarized in one 
of the following four states: right or left circular polar- 
ized, or vertically or horizontally polarized. Bob chooses 
at random between two polarization analyzers, one dis- 
tinguishing the circular polarized states, and the other 
distinguishing the linear polarized states. Following a 
public discussion about the basis of the sent signals and 
the measurement apparatus applied to them, sender and 
receiver can obtain a shared key made up from those 
signals where the measurement device gives determinis- 
tic results. This is the sifted key Q. Proofs of security 
of this scheme against the most general attack, even in 
the presence of noise, have been obtained [p|-R|. In this 
article we follow another goal: we would like to illumi- 
nate to which extend already very simple attacks can 
render qkd impossible once realistic imperfections like 
lossy lines and non-ideal signal states are taken into ac- 
count. The difficulties implied, for example, by the use 
of weak coherent states in combination with lossy lines 



has been pointed out earlier I pMrcl and this subject has 
been illuminated in depth in ||11|| , where bounds on cov- 
erable distances are given. Positive security proofs for 
sufficiently short distances and taking into account the 
realistic signals are given for individual attacks ||l2| and 
coherent attacks ]1^. The eavesdropping attacks which 
crack the secrecy of the key for set-ups exceeding this 
secure distances are still quite complicated. The eaves- 
dropper needs to perform a QND measurement on the 
total photon number of the signal, then he has to split a 
photon off the occurring multi-photon signals |ll| , store 
that photon, and then, finally, measure it after the public 
discussion. 

In this paper we are looking into much simpler eaves- 
dropping strategies which make use of the opportunities 
arising from lossy lines and non-ideal signals. Such an 
attack has been proposed by Bennett ||lj and Yuen [||. 
It uses the fact that Eve can, with finite probability, dis- 
criminate the four signal states unambiguously. When- 
ever such a discrimination is performed successfully, the 
eavesdropper knows immediately which of the four sig- 
nal states was sent and can send this information via a 
classical channel to Bob's detector, in front of which she 
places a state preparation machine to prepare the iden- 
tified state. This way this state does not experience the 
losses of the actual quantum channel without that Eve 
has to invest into a perfect quantum channel. 

The investigation of this scenario refines Bennett's and 
Yuen's analysis since it takes into account that, to a cer- 
tain extend, the photon statistics of the signals arriving 
at Bob's detectors can be monitored. The results illumi- 
nate the restrictions placed on implementations of QKD 
on lines with strong losses. Thereby we can show that 
the currently widely used conditional security standard 
of security against beamsplitting attacks [Q is incom- 
plete. Especially, contrary to common belief, the use 
of unambiguous state discrimination can be a more effi- 
cient eavesdropping strategy than the beamsplitting at- 
tack, even for dim coherent states. 

The paper is organized as follows. In Sec. Q we reca- 
pitulate the principles of unambiguous state discrimina- 
tion. These are applied in Sec. Ill to the signal states in 
the BB84 protocol with dim coherent signal states. In 
Sec. IV we introduce an eavesdropping attack based on 
unambiguous state discrimination (uSD attack) and an- 
alyze it in detail, taking the photon number distribution 
of the signals arriving at Bob's detectors into account. In 
Sec. |V| we discuss the relation between the beam splitting 



attack and the USD attack. Sec. VI concludes the article 
with a short summary. 



II. UNAMBIGUOUS DISCRIMINATION OF 
SIGNAL STATES 

Unambiguous state discrimination is possible whenever 
the A^ states in question are linearly independent. The 
problem can be described by a measurement which can 
give the results "state 0" , "state 1" , . . . "state TV- 1" , and 
the result "don't know" . The constraint is that the mea- 
surement results should never wrongly identify a state, 
and the goal is to keep the fraction of "don't know" re- 
sults as low as possible. This problem has been investi- 
gated by Ivanovic [|5| for the case of two equal probable 
non-orthogonal states. Peres [M solved this problem in a 
formulation with Probability Operator Measures (POM). 
Later Jaeger and Shimony ||l^ extended the solution to 
arbitrary a priori probabilities. Peres's solution has been 
generalized to an arbitrary number of equally probable 
states which are generated from each other by a symme- 
try operator by Chefles and Barnett [|l8[. Their result 
can be summarized as follows: the symmetry allows to 
write the input states in the form 
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\(t>j) represent some set of or- 
Note that the states ^/ 



where the states 
thonormal states. 

-i= ^ - "^ exp I 27ri-5^ ) |0j) form another orthonormal 

set. It turns out that the optimal strategy for unam- 
biguous state discrimination consists of two steps. In the 
first step a filter operation is performed such that the 
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output states are either the orthonormal states 

some linear dependent states. This step can be described 
by a complete positive map with the two Kraus opera- 
tors. They are defined with the help of the minimum 
coefficient Cmin = min, |c,| as 
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The conditional state in the event of successful filtering 



IS now given as 
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In a second step, we can perform a von Neumann pro- 
jection measurement on this state to identify unambigu- 

^k). The 



ously the state k via the orthonormal state 
probability of this successful identification is given by 



Pd =iVmin|cj|^. 



(4) 



For the case of two equal probable non-orthogonal polar- 
ization states of a single photon a quantum optical im- 
plementation following this two-step idea has been given 
by Huttner et al. Jll and by Brandt |0]. 



III. SIGNAL STATES 

A first description of realistic signal states is that of 
a coherent state with a small amplitude a. This corre- 
sponds to the description of a dimmed laser pulse. The 
coherent state is given by 
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where a^ is the creation operator for one of the four BB84 
polarizations which can be expressed in terms of two cre- 
ation operators b[ and b!^ (corresponding, e.g., to two 
linear orthogonal polarizations) as 
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In terms of these two modes the signal state become 
therefore 



a\- 


^ji('! + "5) 


0-2 = 


^ ;,(-.! -4), 


al = 


-^,{»\-ni) 





a \ 


o) = 


V2/ 




a \ 


l) = 


V2/ 




a \ 


2) = 


V-2/ 




a \ 


3) = 


V-2/ 



a 

72 
. ct 

a 

a 

-'T2 



(10) 

(11) 

(12) 
(13) 



We can calculate the values of the Cj in terms of the 
overlaps of the four states according to the formula |18[ 
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and find as a function of the expected photon number 
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The minimuni of these four functions depends on the 
value of fi. The four functions 4|cfcp are plotted in Fig. Il| 
from where we can read off Pd as the minimum. 
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FIG. 1. The fourfold weight 4|c_,| of the four canonical 
states I <;/>_,) as a function of the mean photon number fi. The 
lower bound of these four curves gives the optimum probabil- 
ity for unambiguous state discrimination. 

It turns out, however, that for realistic sources these 
states are not the correct description of the situation. 
The reason is that Eve does not have a phase reference, 
that means that for a given polarization she does not 
see the coherent state \a) but the phase averaged density 
matrix ^ J, |e"^a)(e"'^a| di^. This results in signal states 
which are mixtures of Fock states with a Poissonian pho- 
ton number distribution described by the density matrix 
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Here the state \n) denotes the Fock state with n photons 
in one of the four BB84 polarization states. The optimal 
strategy to discriminate between the four possible den- 
sity matrices can be logically decomposed into a QND 
measurement on the total photon number in the modes 
bi and 62 together and a following measurement which 
unambiguously discriminates between the four resulting 
conditional states for each total photon number. The 
justification for this is that the total photon number via 
the QND measurement "comes free" , since the execution 
of this measurement does not change the signal states. 
However, given the resulting information, we know the 
optimal strategy on the conditional states according to 
p8[ . Therefore we find that the total probability of un- 
ambiguous state discrimination Pd is given in terms of 



the respective probabilities for each photon number sub- 
space -Pq as 
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The conditional states resulting from the QND measure- 
ment and corresponding to n photons in total satisfy 
again the symmetry condition which allows to apply the 
results by Chefies and Barnett. We find for the four co- 
efficients (as a function of the photon number n > 0) the 
expressions 
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Therefore the maximum probability of unambiguous 
state discrimination for fixed value of n is given by 
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(") - ^ 1 - 2i-"/2 n even 

1 - 2(i-")/2 n odd. 
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It is possible to sum up the contributions from different 
photon numbers from the Poissonian distribution and we 
obtain the expression 
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This result is compared to the result for coherent states 
in Fig. 0. As expected, the probability for unambiguous 
state identification is lower for the mixture of Fock-states 
than for the coherent states. An expansion in terms of the 
photon number // gives Pd = ]^M^ + 0(/i^) for both sit- 
uations. For lower than third order the signal states are 
not linearly independent, so that no unambiguous state 
discrimination is possible. Note that an actual implemen- 
tation does not necessarily need to follow the decompo- 
sition into a QND and another measurement. We just 
need to implement one generalized measurement. Actu- 
ally, Bennett et al. |lj] and Yuen [gj gave a simple beam- 
splitter setup which obtains a discrimination probability 

oiPD^^^Ji^ + o{^i^). 
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FIG. 2. Comparison of the optimum probability of unam- 
biguous states discrimination for coherent states and for the 
corresponding mixture of Fock states. Both have the same 
Poissonian photon number distribution with mean photon 
number /i. 



IV. UNAMBIGUOUS STATE DISCRIMINATION 
AS EAVESDROPPING STRATEGY 

We now consider the realistic situation that Alice uses 
the phase-averaged coherent states as signal states vi^hich 
are described by a Poissonian photon number distribu- 
tion with mean photon number fi. In this scenario we 
fix our eavesdropping strategy, to which we refer as the 
unambiguous state discrimination attack (uSD attack) as 
follows: The unambiguous state discrimination allows 
Eve to identify a fraction of the signals without error. 
For this fraction, she can prepare a corresponding state 
close to Bob's detectors such that no errors appear for 
these signals. Whenever the identification does not suc- 
ceed, she sends the vacuum signal to Bob to avoid errors, 
which therefore will not be relevant in the considered sce- 
nario. 

We need to study this strategy under realistic con- 
straint. An important constraint is that the transmit- 
tance of the quantum channel connecting both parties 
is given by the transmission efficiency rj^. We consider 
a detection setup where Bob monitors each polarization 
mode in the chosen basis by one detector. These detec- 
tors have a finite detection efficiency rjB, in which we 
include any additional loss on Bob's side, e.g. from a 
polarizing beamsplitter. The detectors are modeled as 
"yes/no" detectors, which either fire, or they do not fire; 
they cannot distinguish the number of impinging pho- 
tons. 

It is clear that once Eve identified a signal she is in- 
terested to produce a signal in the corresponding polar- 
ization such that Bob will detect it despite his inefficient 
detectors. One strategy is to send a stronger signal than 
the original one in the correct polarization. This will 
work as long as Bob measures in the polarization basis 
which includes the signal polarization (sifted key), but 



it will lead to an increased coincidence rate of clicks in 
both of Bob's detectors otherwise. Our analysis extends 
previous analysis to include the additional constraint put 
on the eavesdropping strategy by the fact that Bob ob- 
serves not only the rate of clicks of one or the other de- 
tector, but also the rate of events when both detectors 
fire, each monitoring one of the orthogonal polarization 
modes. The latter event will be observed ideally only 
when Alice and Bob use different bases, independently 
of the presence of absence of an eavesdropper. Eve's aim 
is to reproduce these two observables with the minimum 
number of non-vacuum signals to make efficient use of 
the successfully identified signals. 

In the absence of Eve, whenever Alice and Bob use the 
same polarization basis Bob's expects to find at most one 
detector clicks; the probability of a click is 
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as follows from the Poissonian photon-number statistics 
of coherent states. 

Whenever Alice and Bob use different bases a double- 
click may occur; its probability is 
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What happens in the presence of Eve depends on the 
signals Eve sends for the successfully detected Alice's sig- 
nals. It is clear that Eve can avoid the occurrence of dou- 
ble clicks when Alice and Bob measure in the same basis, 
since she unambiguously determined the signal. There- 
fore it is not useful to monitor the double click rate when 
Alice and Bob use the same basis. 

Note that we do not need to include detector dark 
count rates or errors due to misalignment into account. 
The reason for that is that we will investigate the limit 
when the USD attack gives complete information to Eve 
while it reproduces the expected probabilities Pi and P2 . 
The values of these probabilities in the absence of an 
eavesdropper and the reproduced values resulting from a 
successful USD attack will be affected in the same way by 
the error mechanisms of dark counts and misalignment 
etc., so that the resulting real observed rates will still be 
indistinguishable. 



A. Eve sends n-photon states 

Let us suppose now, that whenever Eve succeeds in the 
unambiguous state discrimination she sends a number 
state (with correct polarization) containing N photons 
to Bob. If she fails she simply sends no photon. 

If Alice and Bob use the same basis, at most one of two 
Bob's detectors will click. The probability of this event 
is given by 
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This is the probabiHty that one detector chcks if a state 
\N) comes, muhiphed by the probabihty that Eve suc- 
ceeds in USD (and sends |A^)). 

If Ahce and Bob use diiferent bases, we can think of the 
photons as being equaUy and independently distributed 
to both Bob's detectors. The probabihty to find k pho- 
tons at the first detector and £ photons at the second 
one (with included detection efficiencies) is given by the 
formula 
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where the summation limits stem from obvious con- 
straints m > k,N — m > £. Thus the probability of 
double click in Bob's "yes-no" detectors when Eve is ac- 
tive and while Alice and Bob use different polarization 
bases reads 
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(note that Bqo would be subtracted two times). Be- 
cause of the symmetry of the configuration, obviously, 
J2e=Q^oe = J2k=o^ko- With the expressions 
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we obtain finally for the double-click probability 
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B. Eve sends a mixture of number states 

Of course, there is no reason to restrict Eve only to 
the use of number states. After successful state discrim- 
ination she can send to Bob any pure state or mixture. 
However, from Bob's point of view these signals are effec- 
tively mixtures of photon number states because of the 
nature of his detectors (they may be described by the 
pair of projectors: P„o = |0)(0| and Pyos = J2'^=i l")('^l)- 
Therefore it is sufficient to analyze only a mixture of pho- 
ton number states in the polarization of the identified sig- 
nal, so that only the photon number statistics remains to 
be chosen by Eve. 

As already mentioned. Bob is interested only in the 
number of single clicks (in case that his and Alice's bases 
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Single-dick probability (x) 

FIG. 3. Diagram displaying relations between "sin- 
gle-click" and "double-click" probabilities. The highlighted 
area contains all possible combinations of Bob's detection 
probabilities stemming from Eve's activity (described in the 
text) for a given detection efficiency (here, particularly, 
rjB = 0.5) and a given mean photon number in states sent by 
Alice {fj, — 4). It is a region of insecure key generation. The 
shape of the area depends on rys, the scaling on fj, [through 
discrimination probability Pd{i^)]- The separate dotted curve 
represents a set of all possible "working points" without an 
eavesdropper, i.e. a set of all possible pairs of expected Pi and 
Pi- Any particular position of a working point depends on the 
values of the line transmittance (t/l), the detection efficiency 
(rys), and the mean photon number (/i). The value of ^ = 4 
is chosen to make the diagram well readable. The structure 
is the same for lower, realistic values. 



coincide) and double clicks (if the bases differ). One 
can plot very illustrative diagram displaying relations be- 
tween corresponding single-click and double-click proba- 
bilities (see Fig. ||). 

The situation where Eve sends number states to Bob 
is represented by a dot for each value of the photon 
number N. The positions of these dots have been cal- 
culated for fixed values of rj^ and fi. Coordinates of a 
point corresponding to any mixture of number states can 
always be expressed as a linear convex combination of 
coordinates corresponding to individual number states. 
Because of the convexity of the above mentioned curve 
all such points must lie inside (or on the boundary) of 
the polygon with vertices at the points corresponding to 
number states (i.e. in the area highlighted in Fig. ||). 

We can explicitly prove the convexity of the bound- 
ary formed by the points for fixed photon number. 

(AT) 



The points with x-coordinate P^ [Eq. (Eq)] and y- 
coordinate Pg [Eq. (pM)] lie on a continuous curve 



which can be expressed with help of Eq. 



by a real 



continuation of the parameter N as 
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Substituting into Eq. (E9[) we obtain the exphcit equation 
of the curve 
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ln(l - ?7_b) 

Calculating the second derivative of Eq. ( pO| ) with respect 
to X and using the fact that 77^,, rjB, and x/Pd take val- 
ues in the interval between and 1, it follows that the 
curve given by Eq. ( pO[ ) is convex. This proves that the 
highlighted area in Fig. y is indeed convex. 
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FIG. 4. If the value of expected single-click probability is 
greater then the discrimination probability (Pi > Pd) the 
described USD attack can be, in principle, detected. The plot 
shows an example of a curve separating the set of values of 
total efficiencies {tiltib) and mean photon numbers (in states 
sent by Alice) satisfying the above constraint [see inequality 

(1)1 • 



C. Insecure parameter regime 

The convex area defined in the previous section can be 
called a region of insecurity. We define the working point 
of a setup as the the point whose coordinates are given 
by expected values in the absence of an eavesdropper. If 
this working point falls into the region of insecurity, Eve 
can get complete information on the key without a risk 
of being disclosed. 

The set of all possible working points is represented 
by the dotted curve in the diagram. Expected single- 
click probability Pi [Eq. (p8|)] represents x-coordinate, 
expected double-click probability P2 [Eq. (|29|)] represents 
^-coordinate. From Eq. (Eq) the exponential can be ex- 
pressed and substituted into Eq. (|27|). Thus the explicit 
equation of the working point curve reads 
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We have to answer the question for which values of 
parameters rjL, rjB, and fi the working point lies in the 
region of insecurity. 



1. Necessary condition for insecurity 

If the expected probability of single clicks satisfies 
Pi > P^ for all N then the working point will certainly 
not fall to the region of insecurity, which is clearly illus- 
trated in Fig. ^. This leads to the necessary condition for 
insecurity given by Pi < Pd . To evaluate the implication 
for the experimental parameters, we substitute Eq. (p6[) 
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An analysis of this expression shows that for a fixed ex- 
pected photon number /i a system cannot be cracked by 
an USD attack if the total transmission efficiency rj^riB 
is higher than a certain threshold which depends on the 
the expected photon number fi. This dependence is eval- 
uated numerically in Fig. |4[ The surprising aspect is, 
that the threshold does not go to 1 as /.t goes to infinity. 
Instead we find 
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This shows, that that the implementation of quan- 
tum cryptography with weak coherent states cannot be 
cracked completely by the USD attack for all values of the 
expected photon number /i as long as the total transmis- 
sion satisfies 77^775 > 1 — 2^^'^. 



2. Sufficient condition of insecurity 

In this section we will derive precise conditions deter- 
mining when a working point falls into the region of inse- 
curity. In a first step we will show that for parameters of 
practical applications it is sufficient to consider the sce- 
nario the working point falls below the straight line going 
through the origin and the vertex N = 2. This condition 
corresponds to 
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The coordinates of points used in this condition are de- 
fined in Tab. g. In the second step we can then determine 
whether in this scenario the working point lies inside or 



Working point: x^ — Vw = 

1 _ exp(-77z.r;i3/i) [l - exp (-2i2£i£)] ' 

Vertex N — 1: xi = Pdtjb yi — 

Vertex N = 2: X2 = Pd{2vb -ill) y2 = Povlfi 

TABLE I. Coordinates of selected points in the parameter 
space of "observables" , which are the probabilities of single 
clicks (x) and double clicks (y) in Bob's detectors. 



outside the region of insecurity by checking on which side 
of the line going through the vertices A^ = 1 and TV = 2 
it lies (see Fig 0). If it lies on the left, QKD is insecure. 
This corresponds to the inequality 
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First, let us turn to the inequality (|34|). Substitut- 
ing expressions for all coordinates according to Tab. 
one obtains an inequality which is quadratic in the vari- 
able R = exp {'~r|L^JB^J■/'2) with the parameter rjB- We 
find that the working point lies below the line connect- 
ing vertices iV = and iV = 2 if i? e (t^^' ^) ■ ^hus 
the mean photon number in coherent states sent by Alice 
must be lower than a threshold fi2 given by 
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We find that fi2 € [1/'7l, 21n3/?7L] for any rjB and, es- 
pecially, always /i2 > 1. As we can see, this condition 
is satisfied in all current experiments and does not pose 
a serious restriction to the validity of our analysis espe- 
cially for non negligible loss. 

Now let us turn our attention to the condition (B3) 



which, whenever condition (36) is fulfilled, determines 



whether the working point is in the region of insecurity. 
It can be expressed in the following form 

F{p, r]L,r]B) := x^r/B - 2y^„(l - i]b) - PoVb < 0> (37) 

Due to the complicated dependence of Pjj on /i we failed 
to find its analytical solution. The analytical statement 
we can do without any extra approximation is based on 
the observation that 
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r^Lvl > and F{0, t^l.Vb) = 0. 



This implies that there exists always a range of values 
for // starting from /i = for which we have F > Q, i.e. 
the security of the key distribution cannot be cracked 
completely by the USD attack. 

It is easy to evaluate condition ( p7| ) numerically. In 
Fig. H we give an example for the values of line transmit- 
tance 77^ = 0.1 and detection efficiency tjb = 0.5 (so that 
/i2 ~ 13.46). In this particular case, the transmission 
becomes insecure in about 2.07 photons. It is not com- 
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FIG. 5. The sign of the function F(/i, tjLtTIb) is a criterion 
for the security (positive) or insecurity (negative) of the the 
quantum key distribution with respect to the USD attack. The 
line transmittance and Bob's detection efficiency are fixed: 
77L = 0.1, r]B = 0.5. Mean photon number, /i, goes from 
zero to /i2 limit. If F is negative the transmission is totally 
insecure. The zero point lies at /i ~ 2.07 photons. 



plctely satisfying to have to fall back to numerical meth- 
ods to investigate the security against the USD attack. 
Fortunately, it is possible to get some analytic results in 
a situation which is relevant to applications. 



3. Partly accessible loss m a system with large loss 

The results of the previous sections illuminate to which 
extend Eve can achieve perfect eavesdropping by making 
an unambiguous state discrimination measurement fol- 
lowed by sending the identified signals directly to Bob's 
detectors, thereby bypassing the lossy quantum channel. 

However, Eve does not necessarily need to access the 
whole lossy quantum channel to be successful. By ac- 
cessing we mean, that Eve can avoid these losses either 
by replacing a quantum channel by a perfect, loss-free 
one, or by replacing it by classical communication and 
state preparation. The formulas of the previous sections 
still apply if we collect in the quantity tjb all those losses 
on the way to Bob's detector which are not accessible 
to Eve, while rjL denotes now only that loss that is ac- 
cessible to her. It is instructive to look at the limit of 
high non-accessible losses (775 ^1). In that case we can 
approximate the function F of equation (p7[) by 



F^VbI VLf^ 



1 



Vlf^^ - Pd 



(38) 



The insecurity criterion i^ < in the region /i < /i2 (from 
Eqn. (pq)) then leads to the condition 



1 



Vl<-[1- Vl - 2Pd 



(39) 



which is independent of tjb ■ It can be approximated by 



m < vl 



Pd 



12^ 



(40) 
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FIG. 6. The secure parameter regime for the losses acces- 
sible to Eve for large Bob's losses {tjb <^ 1) is the region 
above the solid line (F > 0). In the region with _F < and 
fj, < jj.2 the system is insecure. In the remaining region we 
have F < 0, but since /x > /i2, we cannot make any definitive 
statements about security. 

Condition (p3) is shown in Fig. O as a solid line. To 
make statements about security against the USD attack, 
we need to consider additionally condition (36), which 
can be approximated by /i < — in leading order of tjb 
and is shown as a dashed line. We now can conclude that 
the system is secure against USD attacks in the regime of 
small detection efficiencies rjB if we are in the parameter 
region with F > and ii < fi2. Furthermore, the system 
is insecure in the region _F < and /i < /i2. For the 
region with ^ > ^2 we can only make indirect statements. 
One is, that if the system is secure for a pair of values 
(/i, ?7i), then it must be secure for all values (/i, 77^) with 
77^ > rjL, otherwise Eve could gain an advantage by not 
accessing all the loss available to her. Therefore the only 
region about which we cannot make a statement with the 
present calculation is the region with ^ > 4.1 and tjl > -. 
Here more detailed calculation would be necessary. 

Note that these considerations are valid for tjb ^ I 
and only in this limit rjB does no longer play any role. 
For higher values of 773 this changes. 



D. Remark to the statistical nature of the problem 

One should keep in mind that all of Bob's measure- 
ments have a statistical character. Bob does not measure 
probabilities but finite numbers of clicks which naturally 
fluctuates. In practice Bob must set certain limits of a 
"confidential interval" of acceptable numbers of detector 
clicks. This effects that in some cases Bob will reject the 
transmission even if no eavesdropper is present. A more 
serious implication is that there is always some non-zero 



probability that Eve will not be detected even if the work- 
ing point lies outside the insecurity region. 

Note that Eve does not need to eavesdrop all the time 
- she may let pass a fraction of the signal sequence with- 
out any intervention. Her (deterministic) information on 
the key decreases with this strategy. But both Bob's 
single- and double-click probabilities also change. The 
point corresponding to such an eavesdropping strategy 
(in the diagram as in Fig. 0) shifts along the straight line 
connecting "full-time" Eve's strategy point with Alice's 
and Bob's working point. The relative shift equals the 
fraction of transmission during which Eve is active. 

For practical purposes it would be necessary to deter- 
mine the probability that Eve's information on the key 
(due to the USD attack) will be smaller than a certain 
chosen limit, as a function of the limits of the confiden- 
tial interval and of the length of the key. This represents 
a challenge for the further research in this field. 



V. USD ATTACK VERSUS BEAMSPLITTING 
ATTACK 

Traditionally, security against the beamsplitting at- 
tack WM has been used as a practical level of security. 
In the beamsplitting attack the lossy line is replaced by 
an ideal loss-free line complemented by a beamsplitter 
such that the total loss of the original line is reproduced. 
The eavesdropper stores any photons coming out of the 
free arm of the beamsplitter. Whenever the eavesdrop- 
per and the receiver obtain a photon, which is possible 
for multi-photon signals, Eve can measure her signal after 
she learns the polarization basis in the public announce- 
ment and she will learn thereby the bit value of these 
signals completely. 

It is interesting to note that security against beamsplit- 
ting attack suggests that one can obtain a secure key even 
for large average photon numbers. In the absence of er- 
rors, the gain rate of secure key bits per signal bit can be 
approximated in a way similar to that used in |12|] for the 
optimal individual attack. This approximation is given 
by 



G 



BS 



{Pc 



Psplit) , 



(41) 



where the factor 1/2 stems from discarding signals with 
unequal polarization basis. Then Poxp is the probability 
that Bob receives a signal, while PspUt is the joint proba- 
bility that Eve learned the bit value of a signal and that 
the signal is received by Bob. To point out the basic prob- 
lem of the beamsplitting attack it is sufficient to consider 
the case of 773 = 1 and of coherent states. Then we find 
for Poissonian photon statistics and a transmission rate 
77 of the system 



Pcxp = 1 - cxp(-77^), 
Pspiit = Pcxp {1 - exp [-(1 - 77)^]} , 



(42) 
(43) 



Gbs = 2 ^^P(~(l ~ '^)^) [1 ~ exp(-77^)] 



(44) 



which is always positive. Actually, the optimum is ob- 
tained for /i w 1. It is clear from our analysis, however, 
that for large values of /i and typical loss rates, the USD 
attack will render the quantum key distribution protocol 
completely insecure. 

The awareness of this problem is low, and it is thought 
that it can be avoided by complementing the beamsplit- 
ting attack with the additional requirement to keep the 
average photon number low, much lower than 1, as to 
keep the set-up in the quantum domain. This seems 
rather odd, since there is no obvious justification for this 
requirement. More importantly, even for photon num- 
bers /i <C 1 wc find that for sufficiently large loss the 
transmission becomes insecure according to the USD at- 
tack while the analysis according to the beamsplitting 
attack makes us believe that we are dealing with a se- 
cure key. It seems that the USD attack is underestimated 
since the probability of success in the unambiguous state 
discrimination goes with fi^ since only for three or more 
photons the four signal states are actually linear indepen- 
dent. The beamsplitting attack, however, succeeds with 
a probability of order /i^, since already two photons can 
be split by the beamsplitter. 

This seems to imply that beamsplitting is the more 
powerful attack. However, this is not the case since the 
two attacks vary in their power differently as the loss of 
the system increases. In the USD attack the probability 
to identify a signal depends only on the average photon 
number fi, and once this probability is high enough to 
generate the expected number of signals for the receiver 
(which depends on the amount of loss) then the trans- 
mission becomes insecure. In the beamsplitting attack, 
on the other hand, the total probability of identified sig- 
nals Pspiit depend on /i and on the transmission coeffi- 
cient 77, and this probability goes down with increasing 
loss for fixed /i. And indeed, we ffiid that Pcxp > Pspiit- 
In other words, the beamsplitting attack becomes less 
efficient with increasing loss. This is easy to see in a sim- 
ple example of a two-photon signal. The probabilities 
p{n, 2 — n) that n = 0, 1, 2 photons arrive at Bob's de- 
tectors and n — 2 photons go to Eve in the beamsplitting 
attack are given by 



p(0, 2) ==(1-77)2, 
p(l, 1)^277(1 -77), 
^(2,0)^772. 



(45) 
(46) 
(47) 



This means, that for high losses (7; ^ 1) most likely 
both photons are sent to Eve. Probability of this event 
is p(0, 2) w 1 — 27;, while the splitting probability goes 
down as p(l, 1) « 277. The respective probabilities for 
7^-photon signals are of the same order of magnitude in 
77. Therefore, clearly, there is a crossover as a function 
of 77 where for fixed average photon number 77 the USD 
attack is more efficient than the beamsplitting attack. 



We would like to stress again that from a technological 
point of view the USD attack seems to be easier to im- 
plement than the beamsplitting attack. This is based on 
two points. Firstly, experience indicates that a complete 
measurements destroying the quantum state completely, 
as possible by the USD attack, are easier to realize (at 
least in some approximation) than the realization of a 
quantum channel with reduced loss, as required by the 
beamsplitting attack. Secondly, the beamsplitting attack 
implies the use of quantum memory, which could store 
the split-off signal photons until the polarization bases 
for each signal are announced. 

Finally we would like to point out again that a security 
proof for realistic signals with Poissonian pho ton number 
distribution exists for individual attacks |12| and coher- 
ent attacks m3. Naturally, these security proofs include 
the security against the beamsplitting attack and against 
the USD attack. 



VI. CONCLUSIONS 

We have quantitatively analyzed an attack against re- 
alistic quantum crypto systems which enables an eaves- 
dropper to gain information on the key without causing 
any errors in case of a lossy channel or poor detection ef- 
ficiencies. It uses unambiguous discrimination of linearly 
independent signal states. This attack does not require 
the ability to store quantum states or to perform com- 
plicated quantum dynamics. Moreover, the attack does 
not require to substitute the lossy quantum channel by a 
perfect one. 

We have derived a set of conditions which allow to 
judge whether a given system can be totally insecure un- 
der the USD attack. We have shown a secure parame- 
ter regime in terms of the total transmission efficiency 
and the mean photon number. In the important limit 
of small detection efficiencies 77B we have obtained an 
analytic result so that we can give explicitly a set of pa- 
rameters (line transmittances, detector efficiencies and 
mean photon numbers in coherent states sent by Alice) 
for which the transmission is secure/insecure under the 
USD attack. In theory, the signal can always be chosen to 
be weak enough to allow secure communication. In prac- 
tice, however, the detector noise places restrictions on 
that end Q. Finally, we showed that security against 
beamsplitting attacks does not necessarily imply secu- 
rity against the USD attack. This implies that we need to 
search for a better conditional security criterion against 
attacks deemed practically with currently available tech- 
nology. 
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